Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

10g and 11g PL/SQL Unwrapper source code available

I was emailed by an old friend of mine at the weekend to point me at Niels Teusink's blog post about his new 10g/11g PL/SQL unwrapper written in python. There have been a number of unwrappers available over the years (for free download and for sale and also written by researchers), the most recent being Anton Scheffers code referenced in my blog post "Details of a 10g PL/SQL Unwrapper available" but Anton defered from releasing the look-up table that David Litchfield suggested might be considered a trade secret in his Oracle Hackers Handbook description of the algorithm. The table is not hard to locate or indeed generate as Anton cleverly showed using code cracking techniques but now Niels has made the code for the table available in his python script.

Of course readers of this blog will know that I have written about unwrapping PL/SQL many times as its one of my areas of interest. I have written unwrappers in C and also in PL/SQL for all PL/SQL versions that support wrapping - there are some interesting differences in some of the language versions. The biggest being the change in algorithm between 9iR2 and 10gR1. The wrapped code looks better in 10g from the surface but the algorithm, is much weaker. A comparison of Niels code and my Blackhat paper should illustrate this. The major issue with 9i was that the symbol table was visible but 9i and earlier wrap is based on the ideas of ADA / DIANA and its design ethos that the code be stored as DIANA is written out as IDL and each tool should consume DIANA; this made unwrapping an integral part of the design of ADA/DIANA.

I showed in my Blackhat paper that the DIANA/IDL is still there in 10g but some commentors since have miss-interpreted this and stated that I said 10g wrap was the same as 9i. This is not true, what i really showed is that the same mechanisms are still there, PL/SQL still used DIANA and IDL; thats because the 9i wrap is the internal state of the PL/SQL compiler; the compiler is still there of course but the wrap mechanism has changed.

Niels blog post is titled "Unwrapping Oracle PL/SQL with unwrap.py" and his python script is called "unwrap.py"

The last time i talked about unwrapping PL/SQL was in a post called "Unwrapping PL/SQL" and this post references some of my other posts including the Blackhat paper and links to Antons work.

Secure External Password Store

Paul has made a nice post on his blog about the use of the secure external password store and specifically he has compared the use of a Wallet to that of storing a password in a text file (such as a script) and what the benefit is in terms of using a wallet generated and managed by Oracle to that of simply using a file. The conclusion is that they are very similar because the weak point is file permissions. Paul has shown how you can use secure external password store and create a wallet on one machine and then copy the wallet to another and simply use it to connect to a remote database without knowledge of the password.

Paul's article is called "Oracle Wallet AUTO LOGIN ~ common misconception corrected" - the common misconception is that the wallet is tied to the machine or user its create on/for - It is not!

Also for background reading Tim has an excellent paper on http://www.oracle-base.com/articles/10g/SecureExternalPasswordStore_10gR2.php - (broken link) how to use Secure External password store here.

Nice paper Paul!

Java forensics and Apps Security (twice)

I made a note of Pauls recent post to his blog titled "Java Forensics In Oracle" with an intention to mention it here but never got much time over the last few weeks to blog. This is a very interesting peice on Java forensics and highlights the big issue in Oracle databases, that is that a lot of evidence is often left when executing actions in the database, particularly actions that invlove complex features such as the Java VM embedded in the database. It is a very nice article Paul!

I also saw via Joxeans twitter that he has posted his "Oracle hackproofing Oracle financials R12" presentation from rooted conference. This is a nice presentation covering some old 11i issues and some new R12 issues.

I also bought recently the new book by Jeff Hare - "Oracle E-Business Suite Controls: Application Security Best Practices (Paperback)" which is very good and is also supposed to be the first in a series of books on E-Business Suite security and controls. I liked the book very much and read it on a couple of plane rides recently. I have also just ordered the newest version of the little ISACA Oracle database security book, some words on that when it arrives from the states.